Common Weakness Enumeration

CWE-59

Allowed

Improper Link Resolution Before File Access ('Link Following')

Abstraction: Base · Status: Draft

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

1989 vulnerabilities reference this CWE, most recent first.

GHSA-6G5Q-PC77-85J9

Vulnerability from github – Published: 2022-05-17 04:46 – Updated: 2022-05-17 04:46
VLAI
Details

The openTempFile function in goo/gfile.cc in Xpdf and Poppler 0.24.3 and earlier, when running on a system other than Unix, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2013-4472"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2014-04-22T14:23:00Z",
    "severity": "LOW"
  },
  "details": "The openTempFile function in goo/gfile.cc in Xpdf and Poppler 0.24.3 and earlier, when running on a system other than Unix, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names.",
  "id": "GHSA-6g5q-pc77-85j9",
  "modified": "2022-05-17T04:46:05Z",
  "published": "2022-05-17T04:46:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4472"
    },
    {
      "type": "WEB",
      "url": "http://osvdb.org/99064"
    },
    {
      "type": "WEB",
      "url": "http://poppler.freedesktop.org/releases.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/oss-sec/2013/q4/181"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/oss-sec/2013/q4/183"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-6GCG-HP2X-Q54H

Vulnerability from github – Published: 2022-05-23 21:13 – Updated: 2022-05-23 21:13
VLAI
Summary
Symlink following allows leaking out-of-bound manifests and JSON files from Argo CD repo-server
Details

Impact

All unpatched versions of Argo CD starting with v0.7.0 are vulnerable to a symlink following bug allowing a malicious user with repository write access to leak sensitive files from Argo CD's repo-server.

A malicious Argo CD user with write access for a repository which is (or may be) used in a directory-type Application may commit a symlink which points to an out-of-bounds file. * If the target file is a valid JSON or YAML manifest file, and the resource is allowed in the Application, the attacker can read the contents of that manifest file. (In versions <2.3.2, <2.2.8, and <2.1.14, the attacker may read the files contents even if the resource is not allowed in the Application). * If the target file is valid JSON but is not a manifest file, the attacker may read the contents of the file. * If the target file is not valid JSON or YAML, the attacker may read partial file contents (usually just the first character of the file).

Sensitive files which could be leaked include manifest files from other Applications' source repositories (potentially decrypted files, if you are using a decryption plugin) or any JSON-formatted secrets which have been mounted as files on the repo-server.

Patches

A patch for this vulnerability has been released in the following Argo CD versions:

  • v2.3.4
  • v2.2.9
  • v2.1.15

Workarounds

  • If you are using >=v2.3.0 and do not have any Jsonnet/directory-type Applications, disable the Jsonnet/directory config management tool. The config key is called jsonnet.enable since the same build tool is used for both Jsonnet and plain-manifest ("directory") sources.

Mitigations

  • Avoid mounting JSON-formatted secrets as files on the repo-server.
  • Upgrade to >=2.3.0 to significantly reduce the risk of leaking out-of-bounds manifest files. Starting with 2.3.0, repository paths are randomized, and read permissions are restricted when manifests are not being actively being generated. This makes it very difficult to craft and use a malicious symlink.
  • Upgrade to >=2.3.3, >=2.2.8, or >= 2.1.14 to significantly reduce the risk of leaking the contents of (but not the existence of) out-of-bounds manifest files. These versions prevent attackers from loading manifests which are not permitted in the Project which governs the Application.

Best practices which can mitigate risk

  • Limit who has push access to manifest repositories.
  • Limit who is allowed to configure new source repositories.
  • Limit resource kinds and destinations allowed for Projects, and restrict user access to only the necessary Projects.

Credits

This vulnerability was originally discovered as part of the Trail of Bits audit, published March 12, 2021. The behavior was left unchanged at the time.

The vulnerability was independently re-discovered by @crenshaw-dev, who contributed the patch. A security audit by Ada Logics independently followed up on the Trail of Bits report around the same time.

References

For more information

Open an issue in the Argo CD issue tracker or discussions Join us on Slack in channel #argo-cd

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.2.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-24904"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59",
      "CWE-61"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-05-23T21:13:57Z",
    "nvd_published_at": "2022-05-20T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nAll unpatched versions of Argo CD starting with v0.7.0 are vulnerable to a symlink following bug allowing a malicious user with repository write access to leak sensitive files from Argo CD\u0027s repo-server.\n\nA malicious Argo CD user with write access for a repository which is (or may be) used in a directory-type Application may commit a symlink which points to an out-of-bounds file. \n* If the target file is a valid JSON or YAML manifest file, and the resource is allowed in the Application, the attacker can read the contents of that manifest file. (In versions \u003c2.3.2, \u003c2.2.8, and \u003c2.1.14, the attacker may read the files contents even if the resource is _not_ allowed in the Application). \n* If the target file is valid JSON but is _not_ a manifest file, the attacker may read the contents of the file. \n* If the target file is not valid JSON or YAML, the attacker may read partial file contents (usually just the first character of the file).\n\nSensitive files which could be leaked include manifest files from other Applications\u0027 source repositories (potentially decrypted files, if you are using a decryption plugin) or any JSON-formatted secrets which have been mounted as files on the repo-server.\n\n### Patches\n\nA patch for this vulnerability has been released in the following Argo CD versions:\n\n* v2.3.4\n* v2.2.9\n* v2.1.15\n\n### Workarounds\n\n* If you are using \u003e=v2.3.0 and do not have any Jsonnet/directory-type Applications, [disable the Jsonnet/directory config management tool](https://argo-cd.readthedocs.io/en/stable/user-guide/tool_detection/#disable-built-in-tools). The config key is called `jsonnet.enable` since the same build tool is used for both Jsonnet and plain-manifest (\"directory\") sources.\n\n#### Mitigations\n\n* Avoid mounting JSON-formatted secrets as files on the repo-server.\n* Upgrade to \u003e=2.3.0 to significantly reduce the risk of leaking out-of-bounds manifest files. Starting with 2.3.0, repository paths are randomized, and read permissions are restricted when manifests are not being actively being generated. This makes it very difficult to craft and use a malicious symlink.\n* Upgrade to \u003e=2.3.3, \u003e=2.2.8, or \u003e= 2.1.14 to significantly reduce the risk of leaking the contents of (but not the existence of) out-of-bounds manifest files. These versions prevent attackers from loading manifests which are not permitted in the Project which governs the Application. \n\n#### Best practices which can mitigate risk\n\n* Limit who has push access to manifest repositories.\n* Limit who is allowed to configure new source repositories.\n* Limit resource kinds and destinations allowed for Projects, and restrict user access to only the necessary Projects.\n\n### Credits\n\nThis vulnerability was originally discovered as part of the Trail of Bits audit, published March 12, 2021. The behavior was left unchanged at the time.\n\nThe vulnerability was independently re-discovered by @crenshaw-dev, who contributed the patch. A security audit by Ada Logics independently followed up on the Trail of Bits report around the same time.\n\n### References\n\n* List of [types of Applications](https://argo-cd.readthedocs.io/en/stable/user-guide/application_sources/), including directory-type\n* [RBAC documentation](https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/), showing how to limit repository permissions\n* [Project documentation](https://argo-cd.readthedocs.io/en/stable/user-guide/projects/), showing how to limit allowable resource kinds and destinations \n\n### For more information\nOpen an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions)\nJoin us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd\n",
  "id": "GHSA-6gcg-hp2x-q54h",
  "modified": "2022-05-23T21:13:57Z",
  "published": "2022-05-23T21:13:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6gcg-hp2x-q54h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24904"
    },
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-cd/commit/5e767a4b9e30983330c0fdec322192281a90eb84"
    },
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-cd/commit/7357cfdb58a560de70a0538c6e3bef6fe39505ea"
    },
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-cd/commit/d36d95dc9f71ec61c1a93794f81ece6d61a0d943"
    },
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-cd/releases/tag/v2.1.15"
    },
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-cd/releases/tag/v2.2.9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-cd/releases/tag/v2.3.4"
    },
    {
      "type": "PACKAGE",
      "url": "github.com/argoproj/argo-cd"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Symlink following allows leaking out-of-bound manifests and JSON files from Argo CD repo-server"
}

GHSA-6H65-6827-8QP2

Vulnerability from github – Published: 2022-05-17 02:10 – Updated: 2022-05-17 02:10
VLAI
Details

Open redirect vulnerability in wp-admin/upgrade.php in WordPress, probably 2.6.x, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the backto parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-6762"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2009-04-28T16:30:00Z",
    "severity": "MODERATE"
  },
  "details": "Open redirect vulnerability in wp-admin/upgrade.php in WordPress, probably 2.6.x, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the backto parameter.",
  "id": "GHSA-6h65-6827-8qp2",
  "modified": "2022-05-17T02:10:13Z",
  "published": "2022-05-17T02:10:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-6762"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50382"
    },
    {
      "type": "WEB",
      "url": "http://archives.neohapsis.com/archives/bugtraq/2008-12/0226.html"
    },
    {
      "type": "WEB",
      "url": "http://osvdb.org/52213"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2009/dsa-1871"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-6HFR-HXPF-C7M6

Vulnerability from github – Published: 2024-12-06 18:30 – Updated: 2025-09-23 15:31
VLAI
Details

A link following vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained user access to traverse the file system to unintended locations.

We have already fixed the vulnerability in the following versions: QTS 5.1.8.2823 build 20240712 and later QTS 5.2.0.2802 build 20240620 and later QuTS hero h5.1.8.2823 build 20240712 and later QuTS hero h5.2.0.2802 build 20240620 and later

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-53691"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-06T17:15:10Z",
    "severity": "HIGH"
  },
  "details": "A link following vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained user access to traverse the file system to unintended locations.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.8.2823 build 20240712 and later\nQTS 5.2.0.2802 build 20240620 and later\nQuTS hero h5.1.8.2823 build 20240712 and later\nQuTS hero h5.2.0.2802 build 20240620 and later",
  "id": "GHSA-6hfr-hxpf-c7m6",
  "modified": "2025-09-23T15:31:06Z",
  "published": "2024-12-06T18:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53691"
    },
    {
      "type": "WEB",
      "url": "https://www.qnap.com/en/security-advisory/qsa-24-28"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-6HJQ-RGP4-842X

Vulnerability from github – Published: 2025-07-08 09:31 – Updated: 2025-07-08 09:31
VLAI
Details

A low privileged remote attacker with file access can replace a critical file used by the watchdog to get read, write and execute access to any file on the device after the watchdog has been initialized.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-41666"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-08T07:15:25Z",
    "severity": "HIGH"
  },
  "details": "A low privileged remote attacker with file access can replace a critical file used by the watchdog to get read, write and execute access to any file on the device after the watchdog has been initialized.",
  "id": "GHSA-6hjq-rgp4-842x",
  "modified": "2025-07-08T09:31:29Z",
  "published": "2025-07-08T09:31:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41666"
    },
    {
      "type": "WEB",
      "url": "https://certvde.com/en/advisories/VDE-2025-054"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6HVX-3MCF-V9XF

Vulnerability from github – Published: 2022-05-01 02:03 – Updated: 2024-01-26 18:30
VLAI
Details

linki.py in ekg 2005-06-05 and earlier allows local users to overwrite or create arbitrary files via a symlink attack on temporary files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2005-1916"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2005-07-06T04:00:00Z",
    "severity": "LOW"
  },
  "details": "linki.py in ekg 2005-06-05 and earlier allows local users to overwrite or create arbitrary files via a symlink attack on temporary files.",
  "id": "GHSA-6hvx-3mcf-v9xf",
  "modified": "2024-01-26T18:30:30Z",
  "published": "2022-05-01T02:03:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2005-1916"
    },
    {
      "type": "WEB",
      "url": "http://marc.info/?l=bugtraq\u0026m=112060146011122\u0026w=2"
    },
    {
      "type": "WEB",
      "url": "http://marc.info/?l=bugtraq\u0026m=112198499417250\u0026w=2"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2005/dsa-760"
    },
    {
      "type": "WEB",
      "url": "http://www.zataz.net/adviso/ekg-06062005.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6J4P-VQ7V-X6G8

Vulnerability from github – Published: 2022-05-01 23:59 – Updated: 2022-05-01 23:59
VLAI
Details

Unspecified vulnerability in Links before 2.1, when "only proxies" is enabled, has unknown impact and attack vectors related to providing "URLs to external programs."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-3329"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-07-27T22:41:00Z",
    "severity": "HIGH"
  },
  "details": "Unspecified vulnerability in Links before 2.1, when \"only proxies\" is enabled, has unknown impact and attack vectors related to providing \"URLs to external programs.\"",
  "id": "GHSA-6j4p-vq7v-x6g8",
  "modified": "2022-05-01T23:59:10Z",
  "published": "2022-05-01T23:59:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-3329"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44035"
    },
    {
      "type": "WEB",
      "url": "http://links.twibright.com/download/ChangeLog"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/30422"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-6JCC-G9H6-FGHC

Vulnerability from github – Published: 2025-12-12 21:31 – Updated: 2025-12-15 15:30
VLAI
Details

This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Tahoe 26.1. A malicious app may be able to delete protected user data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-43381"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-12T21:15:53Z",
    "severity": "MODERATE"
  },
  "details": "This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Tahoe 26.1. A malicious app may be able to delete protected user data.",
  "id": "GHSA-6jcc-g9h6-fghc",
  "modified": "2025-12-15T15:30:30Z",
  "published": "2025-12-12T21:31:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43381"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/125634"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6JCP-4MFR-QVPM

Vulnerability from github – Published: 2022-05-17 05:53 – Updated: 2022-05-17 05:53
VLAI
Details

** DISPUTED ** os-prober in os-prober 1.17 allows local users to overwrite arbitrary files via a symlink attack on the (1) /tmp/mounted-map or (2) /tmp/raided-map temporary file. NOTE: the vendor disputes this issue, stating "the insecure code path should only ever run inside a d-i environment, which has no non-root users."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-5135"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-11-18T16:00:00Z",
    "severity": "MODERATE"
  },
  "details": "** DISPUTED **  os-prober in os-prober 1.17 allows local users to overwrite arbitrary files via a symlink attack on the (1) /tmp/mounted-map or (2) /tmp/raided-map temporary file.  NOTE: the vendor disputes this issue, stating \"the insecure code path should only ever run inside a d-i environment, which has no non-root users.\"",
  "id": "GHSA-6jcp-4mfr-qvpm",
  "modified": "2022-05-17T05:53:37Z",
  "published": "2022-05-17T05:53:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-5135"
    },
    {
      "type": "WEB",
      "url": "http://lists.debian.org/debian-devel/2008/08/msg00285.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.debian.org/debian-devel/2008/08/msg00296.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-6JHM-J4GF-HVJX

Vulnerability from github – Published: 2024-11-23 03:31 – Updated: 2024-11-23 03:31
VLAI
Details

Avast Free Antivirus AvastSvc Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Avast Free Antivirus. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within the Avast Service. By creating a symbolic link, an attacker can abuse the service to delete a folder. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-22963.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-7232"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-22T22:15:15Z",
    "severity": "HIGH"
  },
  "details": "Avast Free Antivirus AvastSvc Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Avast Free Antivirus. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the Avast Service. By creating a symbolic link, an attacker can abuse the service to delete a folder. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-22963.",
  "id": "GHSA-6jhm-j4gf-hvjx",
  "modified": "2024-11-23T03:31:58Z",
  "published": "2024-11-23T03:31:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7232"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1004"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-48.1
Architecture and Design

Strategy: Separation of Privilege

  • Follow the principle of least privilege when assigning access rights to entities in a software system.
  • Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack

An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.

CAPEC-17: Using Malicious Files

An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.

CAPEC-35: Leverage Executable Code in Non-Executable Files

An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.